Check Point™ SAM (Suspicious Activities Monitoring) API Specification

OPSEC
Check Point™ SAM (Suspicious

Activities Monitoring)
API Specification
OPSEC SDK 6.0
May 2006
© 2003-2006 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
©2003-2006 Check Point Software Technologies Ltd. All rights reserved.
Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl,
Connectra, CoSa, Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID,
IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home,
Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate, SecureXL, SiteManager-1,
SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor,
SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, User-to-Address
Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX,
VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software
Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products
described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and 6,850,943 and may be protected by other U.S. Patents,
foreign patents, or pending applications.
For third party notices, see “THIRD PARTY TRADEMARKS AND COPYRIGHTS” on page 51.
Contents
Preface Who Should Use This Guide................................................................................ 8

Summary of Contents ......................................................................................... 9
What Typographic Variations Mean .................................................................... 10
Chapter 1 Introduction
Overview ......................................................................................................... 14
Programming Model ......................................................................................... 15
Some Common Models ................................................................................ 15
Defining a SAM Client ................................................................................. 19
Client Server Configuration .......................................................................... 19
SAM API Overview ...................................................................................... 19
Chapter 2 API Functions

Filters............................................................................................................. 26
Function Calls ................................................................................................. 30
The Table Management .................................................................................... 39
Event Handlers ................................................................................................ 44
Event Handler for the SAM_ACK Event ......................................................... 44
Event Handler for the SAM_MONITOR_ACK Event ......................................... 47
Index........................................................................................................... 57
Table of Contents 5
6
Preface P
Preface
In This Chapter
Who Should Use This Guide page 8

Summary of Contents page 9
What Typographic Variations Mean page 10
7
Who Should Use This Guide
Who Should Use This Guide

This document describes the OPSEC SAM (Suspicious Activities Monitoring) API
Specification.
This API specification is written for developers who write software to enhance the
network security provided by VPN-1.
It assumes that you have read the Check Point VPN-1 OPSEC API Specification.
It also assumes that you have a basic understanding and a working knowledge of
the following:
• system and network security
• the VPN-1 product
• system and network administration
• the C and/or C++ programming language
• the Unix or Windows operating system
• Internet protocols
8
Summary of Contents
Summary of Contents
This guide contains the following chapters:
Table A-1
Chapter Description
Chapter 1, “Introduction” Describes the SAM (Suspicious Activities
Monitoring) Specification, which integrates
third-party suspicious activity detection
applications with VPN-1’s network traffic control
capabilities.
Chapter 2, “API Functions” Lists the different filters a SAM Client may
specify when requesting the SAM Server to take
an action or monitor an action.
Chapter Preface 9
What Typographic Variations Mean

The following table describes the typographic variations used in this book.
TABLE P-1 Typographic Conventions
Typeface or Symbol Meaning Example

AaBbCc123 The names of Edit your .login file.
commands, Use ls -a to list all files.
files, and machine_name% You have
directories; mail.
on-screen session = sam_new_session
computer (client, server);
output; code
AaBbCc123 same as above, session = sam_new_session
but with (client, server);
emphasis
Save Text that Click on the Save button.
appears on an
object in a
window
<your text> Replace the Edit the file
angle brackets <FWDIR>\lib\yourfile.x
and the text x
they contain
with your text.
Lines of data or line 1
code omitted line 2
from example .
. .
. .
. line n
10
TABLE P-1 Typographic Conventions(continued)
Typeface or Symbol Meaning Example

[item] The item is dir [/o]
optional.
[item1] ... [item2] List of optional dir [/o] [/w] [/s]
items
item1 | item2 | item3 Choose one of copy infile1 | infile1 + infile2
the items. |infile1 + infile2 + infile3
outfile
italic Specific values one of addnet | addapp
will be shown in
italics
Chapter Preface 11
12
Chapter 1
Introduction
In This Chapter
Overview page 14
Programming Model page 15
Some Common Models page 15
Defining a SAM Client page 19
Client Server Configuration page 19
SAM API Overview page 19
13
Overview
Overview
Check Point’s OPSEC (Open Platform for Security) integrates and manages all
aspects of network security through an open, extensible management framework.
Third party security applications can plug into the OPSEC framework via published
application programming interfaces (APIs). Once integrated into the OPSEC
framework, all applications can be configured and managed from a central point,
utilizing a single Security Policy editor.
This document describes the SAM (Suspicious Activities Monitoring) Specification,
which integrates third-party suspicious activity detection applications with VPN-1’s
network traffic control capabilities.
14
Programming Model
Programming Model
The SAM (Suspicious Activities Monitoring) API Specification enables third party
applications that monitor network activity to request VPN-1 to take certain actions
for certain connections. The SAM API also enables the monitoring applications (the
SAM Clients) to request information about current SAM actions.
For example, the monitoring application (the SAM Client) may ask VPN-1 to block
a connection with a client that is attempting to issue illegal commands or
repeatedly failing to complete a login. A log entry is generated every time VPN-1
receives a request for action.
The actions specified by the the SAM Client (the monitoring application) are often
dynamic and time-dependent. For example, the SAM Client may request VPN-1 to
block all connections that match certain criteria for 1 minute, and then to monitor
active SAM requests influencing the connection.
The SAM API implements communications between the SAM Client and the VPN-1
SmartCenter Server or VPN-1 Module, which acts as a SAM Server. The way the
SAM Client detects suspicious activity and determines the appropriate actions is
beyond the scope of the SAM API.
Some Common Models

Three common programming models are illustrated below.
Monitoring Gateways
In the following example, a SAM Client monitors network activity through two
VPN-1 Modules located on FireWalled gateways.
Chapter 1 Introduction 15
Some Common Models
Figure 1-1 SAM Programming Mode
Acquiring Data about Connections

One way the SAM Client can acquire data about connections is to use the OPSEC
LEA (Log Export API) Server. In this case, the programming model might be the
one illustrated in Figure 1-2.
16
Some Common Models
Figure 1-2 Combined LEA-SAM Programming Model
Router
Internet
Management
FireWalled
Station
Gateway
Router
LEA/SAM
Client
FireWalled
Gateway
In this model, a single application acts both as a LEA and SAM Client. The LEA
Server and the SAM Server are both located on SmartCenter Server.
For more information about LEA, see the Check Point™ VPN-1 LEA (Log Export API)
Specification.
SAM Server as Proxy

A SAM Client’s request for action or that a certain action be monitored is addressed
to one or more VPN-1 Modules.
A SAM Server may act in agent mode or in proxy mode. When in agent mode, the
SAM Server inhibits or closes the given connection through its local VPN-1 Module.
When in proxy mode, the SAM Server passes the request on to other SAM Servers
as appropriate. This is illustrated in Figure 1-3 below.
Some Common Models
Figure 1-3 SAM Server as Proxy
VPN-1/FireWall-1
2
Management Station
VPN/FireWall SAM proxy

Module
FireWalled Gateways
acting as SAM
Servers (agent mode)
A SAM Server that is located on a SmartCenter Server always functions in proxy

mode.
By default, a SAM Server that is not located on a SmartCenter Server functions only
in agent mode. That is, it can only process the action requests that are directly
addressed to itself.
Setting up a SAM Server that is not located on a Management as a Proxy:

• For NG, refer to the “Workstation Properties Window–SAM” section in the
“Network Objects Chapter” of the “Check Point SmartCenter Guide”.
• In versions prior to NG modify $FWDIR/conf/fwopsec.conf so that the value of
fw_allow_remote_requests is set to yes, as follows:
fw_allow_remote_requests yes
18
Defining a SAM Client
SAM Log File

All SAM requests enforced on a VPN-1 module are also saved in a file. The file is
later used when the module boots in order to restore all previous SAM requests.
The file also includes obsolete requests, such as timed out or canceled requests,
that can be purged.
For setting up the SAM log file in NG, refer to the “Workstation Properties
Window–SAM” section in the “Network Objects Chapter” of the “Check Point
SmartCenter Guide”.
Note - The purge will affect only obsolete requests. File size for valid requests is unlimited.
Defining a SAM Client

The steps involved in integrating a SAM Client with VPN-1 fall into configuring
communication between VPN-1 and the SAM client. This requires the OPSEC and
SAM APIs, and involves the following steps:
1. If communication between VPN-1 and the SAM Client is to be authenticated,
performing a key pr certificate exchange.
For more information, see “Establishing an Authentication Key” or “Pulling
Certificates” in chapter one of the Check Point VPN-1 OPSEC API
Specification.
2. Using the SAM API to write the event handler required to implement
communication between the SAM client and the VPN-1 SAM Server.
This is described in detail in “SAM API Overview”” on page 19.
Client Server Configuration

For information on configuring SAM Clients and Servers, see “Client-Server
Connection” on page 37 of Check Point VPN-1 OPSEC API Specification.
SAM API Overview

The SAM Client uses the OPSEC and SAM API functions to communicate with the
SAM Server.
SAM API Overview
SAM Client Application Structure

A SAM Client’s main function should proceed as illustrated below:
Figure 1-4 SAM Client Application Structure
initialize OPSEC environment
initialize SAM Server entity
initialize SAM Client entity
start the OPSEC session
start the main loop
Event main Event

Event Event
Handler loop Handler
free the SAM Server entity
free the SAM Client entity
free the OPSEC environment
Once the OPSEC environment and the SAM session are both initialized, the main
loop waits for events to occur and then processes them. Events are handled by the
SAM API functions. The main loop is terminated by the underlying OPSEC level.
For more information on sam_new_session, see page 30.
20
SAM API Overview
Event Handling
The SAM Server keeps the SAM Client informed about the status of its request by
acknowledging each of the following stages of processing:
• The SAM Server has received the SAM Client’s request
• The SAM Server has processed the request for one of the specified VPN-1
Modules.
• The SAM Server has processed the request for all specified VPN-1 Modules.
• The SAM Server has encountered an error.
Depending on the type of request being processed, the SAM Server triggers one of
two events:
• SAM_ACK, if the SAM Server is processing a request for action (e.g. that
connections be closed or inhibited).
• SAM_MONITOR_ACK, if the SAM Server is processing a that SAM actions be
monitored.
The SAM Client responds to these events using the event handler (callback)
functions set in the call to opsec_init_entity for the Client entity. These
callbacks are set using the attributes listed below:
Table 1-1 opsec_init_entity - SAM entity_type values
value type meaning

SAM_ACK_HANDLER handler the event handler for the SAM_ACK event (see
page 44)
SAM_MONITOR_ACK_HAND handler the event handler for the SAM_MONITOR_ACK event
LER (see page 47)
For more information on opsec_init_entity, see Chapter 2 of the Check Point

VPN-1 OPSEC API Specification.
Requests for Action

The SAM Client can request that the SAM Server take one of the following actions:
• log connection attempts to or from a specified IP address or subnet
• inhibit and log connection attempts to or from a specified IP address or subnet
• inhibit and log connection attempts to or from a specified IP address, and close
all existing connections to or from that address or subnet
SAM API Overview
Packets for the inhibited connections may be dropped (so that VPN-1 is
transparent) or rejected.
• stop inhibiting and logging connection attempts to or from a specified IP
address or subnet
• clear all active SAM actions
The first three of these actions can be limited to a given amount of time. For
example, the SAM Client can requests that the SAM Server block all connection
attempts for two minutes.
The SAM Client can also specify whether a given action should be logged and/or
generate an alert.
Finally, the SAM Client can specify a filter in the action request, so that the action
will apply only to connections fulfilling criteria such as source IP address or
subnet, destination IP address or subnet, destination port and IP protocol. For more
information, see “Filters” on page 26.
This functionality is implemented using the following API function:
Table 1-2 API functions managing action requests
function name See...

sam_client_action page 30
Requests for Monitoring SAM Actions

The SAM Client can request that the SAM server to report currently enforced SAM
actions of a certain type. For example, the SAM client may request the SAM server
to report all the inhibit SAM actions enforced on a particular VPN-1 Module.
As with request for action, the SAM Client may specify a filter in the action
monitoring request, so that the SAM Server will report only those SAM actions
effecting connections that match the filter. For example, the SAM client may
request that the SAM server report all the inhibit SAM actions enforced on a
particular VPN-1 module which will effect connection originating from a certian
subnet.
Table 1-3 API functions managing monitoring requests

sam_client_monitor page 35
22
SAM API Overview
The results of the monitoring are placed in the SAM Table in

SAM_MONITOR_ACK_HANDLER callback. The table which results can be managed using
the following functions:
Table 1-4 Functions managing monitoring table

sam_table_get_nrows page 40
sam_table_get_ncols page 40
sam_table_get_format page 41
sam_table_iterator_create page 41
sam_table_iterator_destroy page 42
sam_table_iterator_next page 42
Threads
SAM API Multithread level is “reentrant”. This means that:
• Multiple threads may use the SAM API concurrently.
• Multiple threads may not share data generated by SAM API
For more information, see “Multithreaded OPSEC Applications” in the Check Point
VPN-1 OPSEC API Specification
SAM API Overview
24
Chapter 2
API Functions
In This Chapter
Filters page 26
Basic filters page 26
Filters with subnet masks page 28
Function Calls page 30
sam_new_session page 30
sam_client_action page 30
sam_client_monitor page 35
The Table Management page 39
sam_table_get_nrows page 40
sam_table_get_ncols page 40
sam_table_iterator_create page 41
sam_table_iterator_destroy page 42
sam_table_iterator_next page 42
Event Handlers page 44
Event Handler for the SAM_ACK Event page 44
Event Handler for the SAM_MONITOR_ACK Event page 47
25
Filters
Filters
This section lists the different filters a SAM Client may specify when requesting the
SAM Server to take an action or monitor an action.
• For sam_client_action (see page 30), action is taken only for connections
that fulfill the criteria specified by the filters.
• For sam_client_monitor (see page 47), actions are monitored only for
connections that fulfill the criteria specified by the filters.
Table 2-1 below lists basic filters. Table 2-2 on page 28 list filters that use subnet
masks.
A subnet mask, together with an IP address, identifies the specified host’s network
location. Subnet masks can be useful in preventing Denial of Service attacks. If the
SAM Client determines that an attack is coming from several hosts on single subnet
(network), the filters that use subnet masks enable the SAM Client to make
requests that apply to the network rather than to individual hosts.
Note - ip addresses are in network order and of type ulong. port and protocol arguments
are of type ushort.
Table 2-1 Basic filters
filter meaning
SAM_SRC_IP, <IP_address> Apply request to connections whose
source IP address is <IP_address>.
SAM_DST_IP, <IP_address> Apply request to connections whose
destination IP address is
<IP_address>.
SAM_ANY_IP, <IP_address> Apply request to connections whose
source or destination IP address is
<IP_address>.
26
Filters
Table 2-1 Basic filters
filter meaning
SAM_SERV, <source_IP_address>, Apply request to connections for
<dest_IP_address>, which all the following conditions are
<dport>, <ipproto> true:
• source IP address is
<source_IP_address>
• destination IP address is
<dest_IP_address>
• destination port is <dport>
• IP protocol is <ipproto>
SAM_DST_SERV, <dest_IP_address>, Apply request to connections for
<dport>, <ipproto> which all the following conditions are
true:
<dest_IP_address>
SAM_SRC_IP_PROTO, Apply request to connections for
<source_IP_address>, <ipproto> which all the following conditions are
true:
• source IP address is
<source_IP_address>
SAM_DST_IP_PROTO, Apply request to connections for
<dest_IP_address>, <ipproto> which all the following conditions are
true:
<dest_IP_address>
SAM_ALL Apply requests to all connections
(valid only for “sam_client_monitor”
on page 35).
Chapter 2 API Functions 27

Filters
Table 2-2 Filters with subnet masks
filter meaning
SAM_SUB_SRC_IP, <source_IP_address>, Apply request to connections
<smask> whose source IP address matches
<IP_address> with <smask>
subnet mask.
SAM_SUB_DST_IP, <dest_IP_address>, Apply request to connections
<smask> whose destination IP address
matches <IP_address> with
<smask> subnet mask.
SAM_SUB_ANY_IP, <IP_address>, <smask> Apply request to connections
whose source or destination IP
address matches <IP_address>
with <smask> subnet mask.
SAM_SUB_SRC_IP_PROTO, Apply request to connections for
<source_IP_address>, <smask>, <ipproto> which all the following conditions
are true:
• source IP address matches
<source_IP_address> with
<smask> subnet mask
SAM_SUB_DST_IP_PROTO, Apply request to connections for
<dest_IP_address>, <smask>, <ipproto> which all the following conditions
are true:
• destination IP address
matches <dest_IP_address>
with <smask> subnet mask
SAM_SUB_DST_SERV, <dest_IP_address>, Apply request to connections for
<smask>, <dport>, <ipproto> which all the following conditions
are true:
<dest_IP_address> with
<smask> subnet mask
28
Filters
Table 2-2 Filters with subnet masks
filter meaning
SAM_SUB_SERV, Apply request to connections for
<source_IP_address>, <source_smask>, which all the following conditions
<dest_IP_address>, <dest_smask>, <dport>, are true:
<ipproto> • source IP address matches
<source_IP_address>
with <source_smask>
subnet mask
matches
<dest_IP_address> with
<dest_smask> subnet mask
SAM_SUB_SERV_SRC, Apply request to connections for
<source_IP_address>, <smask>, which all the following conditions
<dest_IP_address>, <dport>, <ipproto> are true:
<source_IP_address> with
<smask> subnet mask
SAM_SUB_SERV_DST, Apply request to connections for
<source_IP_address>, <dest_IP_address>, which all the following conditions
<smask>, <dport>, <ipproto> are true:
<source_IP_address>
with <smask> subnet mask

Function Calls
Function Calls
This section describes the functions provided by the OPSEC SAM API. The function
prototypes are defined in the file sam.h.
sam_new_session
sam_new_session initializes an OPSEC session between the SAM Client and the
SAM Server.
Unless requests seldom occur, it is recommended that the same SAM session be
used to process all of them. In other words, there is no need to start a new session
for each request.
Prototype
OpsecSession *sam_new_session(OpsecEntity *client, OpsecEntity *server);
Arguments
Table 2-3 sam_new_session arguments
argument meaning
client A pointer to the Client entity, as returned by
opsec_init_entity.
server A pointer to the Server entity, as returned by
opsec_init_entity.
Return Values
Pointer to new session if successful. NULL if error.
sam_client_action
sam_client_action requests that the SAM Server will inhibit and/or close and/or log
connections according to one of the filters in Table 2-1 or Table 2-2.
Prototype
int sam_client_action(OpsecSession *session, int action,
int log_flag, char *fwhost, void *handler_data, ...);
30
Function Calls
Arguments
Table 2-4 sam_client_action arguments
argument meaning
session A pointer to an OPSEC session, as returned by
sam_new_session.
action The action to be taken. One of the following values:
Note - SAM_CANCEL is used in connection with the
action it cancels
value meaning
SAM_NOTIFY All connection attempts should
be logged as specified by the
log_flag argument.
SAM_INHIBIT All connection attempts should
be inhibited and logged as
specified by the log_flag
argument. Packets are rejected.
SAM_INHIBIT_AND_CLOSE All connection attempts should
argument, and all existing
connections should be closed.
Packets are rejected.
SAM_INHIBIT_DROP All connection attempts should
argument. Packets are dropped
rather than rejected.
SAM_INHIBIT_DROP_AND_CLO All connection attempts should
SE be inhibited and logged as
argument, and all existing
connections should be closed.
Packets are dropped rather than
rejected.

Function Calls
Table 2-4 sam_client_action arguments(continued)
argument meaning
action SAM_CANCEL This undoes the effect of
(Cont.) specific SAM_NOTIFY,
SAM_INHIBIT,
SAM_INHIBIT_AND_CLOSE,
SAM_INHIBIT_DROP or
SAM_INHIBIT_DROP_AND_CLOSE
requests (but does not reopen
closed connections).
The rest of the parameters to
sam_client_action (except
for timeout) should be identical
to those of the requests to be
cancelled.
SAM_CANCEL should be bitwise
or’ed “|” with the action it will
undo.
SAM_DELETE_ALL This clears all SAM actions
currently enforced (but does not
reopen closed connections).
log_flag log_flag specifies what kind of log will be generated.
value meaning...
SAM_NOLOG No logs are generated.
SAM_LONG_NOALERT A log is generated without an
alert.
SAM_LONG_ALERT A log and alert are both
generated.
32
Function Calls
argument meaning
fwhost A string designating the firewalled host(s) through which the
specified connections should be inhibited or closed. A log entry
is generated on each designated host every time this function is
called.
fwhost can be any of the following:
value meaning that the specified
connection will be closed or
inhibited through the VPN-1
Module(s)...
“localhost” ... on the machine on which the
SAM Server is running — this is
the default
the name of a VPN-1 object ... on this object; if this object is
or group a group, on every object in the
group
“All” ...on all the objects managed by
the Check Point SmartCenter
Server (on or under where SAM
is running) which are defined as
having VPN-1 installed
“Gateways” ... on all the objects managed by
SmartCenter Server (on or under
which the SAM server runs)
which are defined as gateways
and have VPN-1 installed
“localhost” ... on the machine on which the
SAM Server is running — this is
the default
which are defined as gateways
and have VPN-1 installed
handler_data The data to be passed to the event handler for the SAM_ACK
event. See section‚“Event Handler for the SAM_ACK Event,” on
page 44. Can be used to assign an ID to each request.

Function Calls
argument meaning
timeout “SAM_EXPIRE” followed by the number of seconds for which this
action should be in effect (e.g. SAM_EXPIRE, 1800).
SAM_EXPIRE_NEVER means the action should be in effect until
cancelled.
If several requests have the same parameters but different
timeout values, then the longest timeout will be in effect.
Note - the timeout value argument is of type signed int and given in
seconds. Therefore, it should not exceed 2,147,483, Which is the result
of MAX_INT / 1000.
filter “SAM_REQ_TYPE” followed by one of the values listed in
Table 2-1 on page 26 or in Table 2-2 on page 28. Action is
then applied only to connections which match the criteria
specified by the filter.
NULL This indicates the end of the argument list.
Return Values
0 if successful. -1 if error.
Examples
• sam_client_action ( session, SAM_DELETE_ALL, SAM_NO_LOG, "All",
“action: delete all", NULL );
This call specifies that the SAM Server should delete all requests for action for
all FireWalled hosts, and that "action: delete all" be passed to the event
handler function.
• sam_client_action ( session, SAM_INHIBIT_AND_CLOSE, SAM_LONG_ALERT,
"Gateways", "action: inhibit and close",
SAM_EXPIRE, 3600, SAM_REQ_TYPE, SAM_SERV,
src, dst, dport, ip_p, NULL);
This call specifies that the SAM Server should inhibit and close off service for
1 hour and generate a long alert log. This should be done for all firewalled
gateways, with all connections that match the specified filter. "action:
inhibit and closed" should be passed to the event handler function.
• sam_client_action ( session, SAM_NOTIFY, SAM_LONG_NOALERT, "monica",
"action: notify", SAM_EXPIRE, SAM_EXPIRE_NEVER,
SAM_REQ_TYPE, SAM_DST_IP, ipaddr, NULL );
34
Function Calls
This call specifies that the SAM Server should notify all connections through
the VPN-1 object “monica” if their destination matches ipaddr. There is no
timeout on this action, and the SAM Server should generate a long log but no
alert. "action: notify" should be passed to the event handler function.
• sam_client_action ( session, SAM_INHIBIT, SAM_NO_LOG, "monica",
"action: inhibit", SAM_REQ_TYPE,
SAM_DST_SERV, dst, port, ipproto, NULL );
This call specifies that the SAM Server should inhibit all connections on the
VPN-1 object “monica” to the destination described by dst, port, and ipproto.
There is no timeout on this action, and the SAM Server should not generate any
logs or alerts. "action: inhibit" should be passed to the event handler
function.
• sam_client_action ( session, SAM_INHIBIT, SAM_NO_LOG, "monica",
"action: inhibit", SAM_REQ_TYPE,
SAM_SUB_SRC_IP, src, smask, NULL );
This call specifies that the SAM Server should inhibit all connections on the
VPN-1 object “monica” from all sources described by src and the subnet mask
smask. There is no timeout on this action, and the SAM Server should not
generate any logs or alerts. "action: inhibit" should be passed to the event
handler function.
• sam_client_action ( session, SAM_CANCEL|SAM_INHIBIT,
SAM_NO_LOG,"monica",
"action: cancel inhibit", SAM_REQ_TYPE,
SAM_SUB_SRC_IP, src, smask, NULL );
This call undoes the effect of the previous action.
sam_client_monitor
sam_client_monitor requests the SAM Server for a report on all SAM actions
currently enforced that effect connections matching one of the filters in Table 2-1
or Table 2-2.
Prototype
int sam_client_monitor (OpsecSession *session, int action, char *fwhost,
void *handler_data, ...);

Function Calls
Arguments
Table 2-5 sam_client_monitor arguments
argument meaning
sam_new_session.
action One of the following bitwise or’ed “|” action values may be
used:
Value Meaning
SAM_INHIBIT | SAM_DROP monitor inhibit-drop actions
SAM_INHIBIT | SAM_REJECT monitor inhibit-reject actions
SAM_NOTIFY monitor notify actions
SAM_INHIBIT | SAM_REJECT monitor inhibit-reject and notify
| SAM_NOTIFY actions
SAM_INHIBIT | SAM_DROP | monitor inhibit-drop and notify
SAM_NOTIFY actions
SAM_INHIBIT | SAM_REJECT monitor inhibit-reject and
| SAM_DROP inhibit-drop actions
SAM_INHIBIT | SAM_REJECT monitor all actions
| SAM_DROP | SAM_NOTIFY
36
Function Calls
Table 2-5 sam_client_monitor arguments
argument meaning
fwhost A string designating the firewalled host(s) for which the
specified actions should be monitored. The VPN-1 Modules
from which to retrieve the information. fwhost can be any of the
following:
value information will be retrieved
from the VPN-1 Module(s)
“localhost” ...on the machine on which the
SAM Server is running – this is
the default.
the name of a VPN-1 object ...on this object; if this object
or group is a group, on every object in
the group.
“Gateways” ... on all the objects managed
by SmartCenter Server (on or
under which the SAM server
runs) which are defined as
gateways and have VPN-1
installed.
“All” ... on all the objects managed
by SmartCenter Server (on or
under which the SAM server
runs) which are defined as
having VPN-1 installed
handler_data The data to be passed to the event handler for the
SAM_MONITOR_ACK event Can be used to assign an ID to each
request. See section‚“Event Handler for the SAM_ACK Event,”
on page 44 for further information.
filter “SAM_REQ_TYPE” followed by one of the values listed in
Table 2-1 on page 26 or in Table 2-2 on page 28. Action is
then monitored only for connections which match the criteria
specified by the filter. SAM_ALL filter is a request for all
connections. This argument must be supplied to
sam_client_monitor.
NULL This indicates the end of the argument list.
Return Values
0 if successful. -1 otherwise.

Function Calls
Examples
• sam_client_monitor ( session, SAM_INHIBIT, "monica",
“action: inhibit", SAM_REQ_TYPE,
SAM_DST_SERV, dst, port, ipproto, NULL);
This call specifies that the SAM Server should report all SAM inhibit actions
effecting connections through the VPN-1 module “monica” to the destination
described by dst, port and ipproto.
• sam_client_monitor ( session, SAM_NOTIFY, "monica",
“action: notify", SAM_REQ_TYPE,
SAM_SUB_SRC_IP, src,smask, NULL);
This call specifies that the SAM Server should report all SAM notify actions
effecting connections through the VPN-1 object “monica” with the source address
and the subnet described by src and subnet mask smask.
38
The Table Management

SAM table contains active SAM requests on the VPN-1 modules that match the
filter and action provided in sam_client_monitor. The functions described in this
section retrieve SAM table properties and enable iteration through the SAM table.
The row format of the SAM table in NG is described in table Table 2-6. The row
format can also be obtained at run time by using any of the following:
• “sam_table_get_ncols” on page 40 and the vtype parameter of the function
“sam_table_iterator_next” on page 42
• “sam_table_get_format” on page 41
The SAM Table’s Row Format
Note - For actual types and values refer to Table 2-12.
Table 2-6 The SAM Table’s Row Format
column content type

number
1 source IP address OPSEC_VT_IP
2 source subnet mask OPSEC_VT_IP
3 destination IP address OPSEC_VT_IP
4 destination subnet mask OPSEC_VT_IP
5 destintation port OPSEC_VT_PORT
6 IP protocol OPSEC_VT_PROTO
7 log flag OPSEC_VT_LOG
8 action OPSEC_VT_ACTION
9 expiration OPSEC_VT_DURATION_TIME

sam_table_get_nrows
sam_table_get_nrows returns the number of rows in the specified SAM Table.
Note - Each row represents a pending action request.
Prototype
int sam_table_get_nrows(opsec_table tab);
Arguments
Table 2-7 sam_table_get_nrows arguments
argument meaning
tab The SAM table as passed to the SAM_MONITOR_ACK event
handler.
Return Values
The number of rows if successful. -1 if error.
sam_table_get_ncols
sam_table_get_ncols returns the number of columns in the specified SAM Table.
Note - Each column corresponds to a field in the pending action request.
Prototype
int sam_table_get_ncols(opsec_table tab);
40
Arguments
Table 2-8 sam_table_get_ncols arguments
argument meaning
handler.
Return Values
The number of columns if successful. -1 if error.
sam_table_get_format
sam_table_get_format returns the SAM table’s row format as an array of types.
Prototype
opsec_vtype* sam_table_get_format(opsec_table tab);
Arguments
Table 2-9 sam_table_get_format arguments
argument meaning
handler.
Return Values
An array of opsec_vtype’s if successful, NULL on failure. For more information on
vtype values see “sam_table_iterator_next arguments” on page 43.
Note - The array’s length can be retrieved by calling “sam_table_get_ncols” on page 40.
sam_table_iterator_create
sam_table_iterator_create creates a table iterator object.
Prototype
opsec_table_iterator sam_table_iterator_create (opsec_table tab);

Arguments
Table 2-10 sam_table_iterator_create arguments
argument meaning
handler.
Return Values
A SAM table iterator object if successful. NULL on failure.
sam_table_iterator_destroy
sam_table_iterator_destroy destroys the table iterator an frees its memory.
Prototype
void sam_table_iterator_destroy (opsec_table_iterator iter);
Arguments
Table 2-11 sam_table_iterator_destroy arguments
argument meaning
iter The SAM table iterator as returned by
sam_table_iterator_create
Return Values
None.
sam_table_iterator_next
sam_table_iterator_next returns the pointer to the next element.
Note - Element refers to the field’s entry in SAM tables.
Prototype
void * sam_table_iterator_next (opsec_table_iterator iter, opsec_vtype
*vtype);
42
Arguments
Table 2-12 sam_table_iterator_next arguments
argu- meaning
ment
iter The SAM table iterator as returned by sam_table_iterator_create
vtyp The virtual type of an element. The user provides a pointer and receives
e the appropriate virtual type:
opsec value type actual type values
OPSEC_VT_IP /* 32 bit network 0 for any IP address
order */
OPSEC_VT_PORT /* 16 bit unsigned */ 0 for any port
OPSEC_VT_PROTO /* 16 bit unsigned */ 0 for any protocol
OPSEC_VT_LOG /* 32 bit unsigned */ Any of the following:
SAM_NOLOG,
SAM_LONG_NOALERT,
SAM_LONG_ALERT
OPSEC_VT_ACTION /* 32 bit unsigned */ Any of the following:
SAM_INHIBIT,
SAM_INHIBIT_AND_CLOSE,
SAM_INHIBIT_DROP,
SAM_INHIBIT_DROP_AND_CL
OSE, SAM_NOTIFY
OPSEC_VT_DURATION /* time_t */ SAM_EXPIRE_NEVER
_ if a request has no
TIME timeout
Return Values
A pointer to the next element in the SAM table if successful. NULL on failure.

Event Handlers
Event Handlers
This section describes the functions that need to be written in order to implement
a SAM Client.
All these functions take a pointer to OpsecSession as an argument.
Note that the memory allocated for function arguments is managed by the OPSEC
environment, and that the arguments hold valid data only during the execution of
the handler functions. For this reason, you should not, for example, save a static
pointer to this data for use after the handler function returns.
Event Handler for the SAM_ACK Event

This function is called each time the SAM Server acknowledges a request for action
from the SAM Client. The return value is used to indicate whether the session
should be closed.
Note - The name AckEventHandler is a placeholder. You can assign any name to this
function.
Prototype
int AckEventHandler(OpsecSession *session, int closed, int status,
int index, int total, char *host, void *handler_data);
44
Arguments
Table 2-13 AckEventHandler arguments
argument meaning
sam_new_session
closed If this is a response to a call to sam_client_action with
SAM_INHIBIT_AND_CLOSE or SAM_INHIBIT_DROP_AND_CLOSE,
closed is the number of connections closed. Zero otherwise.
status One of the following values:
value meaning
SAM_BAD_DG_ERR Internal error (malformed SAM
datagram).
SAM_RESOLVE_ERR The SAM Server was unable to
resolve the name of the VPN-1
object specified as the fwhost
argument to sam_client_action
(see page 31).
SAM_REQUEST_RECEIVE The SAM Server received the
D request. This status comes only
once per request.
status SAM_MODULE_FAILED The SAM Server was unable to
communicate with one of the
specified VPN-1 Modules.
This might happen if the Module is
down or if the authentication
procedure used for VPN-1
communication between the SAM
Server and the Module fails.
SAM_MODULE_DONE The SAM Server processed the
request for one of the specified
VPN-1 Modules.
index An ordinal specifying the VPN-1 Module referred to in this
call. Zero is the first, 1 is the second, etc.
total The total number of VPN-1 Modules processed in the request.
host The object name of the VPN-1 Module referred to in this call.
handler_data The argument passed to sam_client_action (see
page 30).

Return Values
OPSEC_SESSION_OK if the session can continue.
OPSEC_SESSION_END if the session is to be closed.
OPSEC_SESSION_ERR if the session is to be closed due to an error.
Notes
Freeing handler_data should be done only when status is SAM_RESOLVE_ERR,
SAM_UNEXPECTED_END_OF_SESSION or SAM_REQUEST_DONE. In all cases, there will be
no further SAM_ACK events based on the call to sam_client_action.
Example
Suppose sam_client_action is called as follows:
sam_client_action(session,SAM_INHIBIT, SAM_LONG_ALERT, “Gateways”,
handler_data, SAM_EXPIRE, 3600,
SAM_REQ_TYPE, SAM_ANY_IP, IPaddr);
If there are three objects defined as firewalled gateways in the SAM Server’s
Security Policy, AckEventHandler will be called five times with the following
sample arguments:
Table 2-14 sample argument to AckEventHandler
call # index total possible status host

1 -1 -1 SAM_REQUEST_RECEIVED NULL
2 0 3 SAM_MODULE_DONE The name of the first
gateway.
3 1 3 SAM_MODULE_FAILED The name of the second
gateway.
4 2 3 SAM_MODULE_DONE The name of the third
gateway.
5 -1 -1 SAM_REQUEST_DONE NULL
46
Event Handler for the SAM_MONITOR_ACK Event

This function is called each time the SAM Server acknowledges a request for
information from the SAM Client. The return value is used to indicate whether the
session should be closed.
Note - The name AckMonitorEventHandler is a placeholder. You can assign any name
to this function.
Prototype
int AckMonitorEventHandler(OpsecSession *session, int status, int index,
int total, char *host, void *handler_data, opsec_table monitor_data);

Arguments
Table 2-15 AckMonitorEventHandler arguments
argument meaning
session A pointer to an OPSEC session, as returned by sam_new_session
status One of the following values:
value meaning
SAM_BAD_DG_ERR Internal error (malformed SAM
datagram).
SAM_RESOLVE_ERR The SAM Server was unable to resolve
the name of the VPN-1 object specified
as the fwhost argument to
sam_client_monitor (see page 35).
status SAM_REQUEST_RECEIVE The SAM Server received the request.
D No data processing is needed.
SAM_MODULE_FAILED The SAM Server was unable to

communicate with one of the specified
VPN-1 Modules.
This might happen if the Module is
down or if the authentication procedure
used for VPN-1 communication
between the SAM Server and the
Module fails.
SAM_MODULE_DONE The SAM Server processed the request
for one of the specified VPN-1
Modules.
SAM_REQUEST_DONE The SAM Server processed the request
for all of the specified VPN-1 Modules.
index An ordinal specifying the VPN-1 Module referred to in this call.
Zero is the first, 1 is the second, etc.
total The total number of VPN-1 Modules processed in the request.
48
Table 2-15 AckMonitorEventHandler arguments
argument meaning
host The object name of the VPN-1 Module referred to in this call.
handler_dat The argument passed to sam_client_monitor (see page 35).
a
monitor_dat The data about monitored actions. monitor_data is only valid if
a status is SAM_MODULE_DONE. Data can be retrieved using the
Table Management Functions. For more information see
section‚“The Table Management,” on page 39.
Return Values
OPSEC_SESSION_OK if the session can continue.
OPSEC_SESSION_END if the session is to be closed.
OPSEC_SESSION_ERR if the session is to be closed due to an error.

50
THIRD PARTY TRADEMARKS AND COPYRIGHTS
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust
product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary
of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.
Verisign is a trademark of Verisign Inc.
The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright
© 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are
permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the
University may not be used to endorse or promote products derived from this software without specific prior written permission. This
software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).
The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.
Copyright 1997 by Carnegie Mellon University. All Rights Reserved.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted,
provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in
supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software
without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT
OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
The following statements refer to those portions of the software copyrighted by The Open Group.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software
developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC
YOUNG `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.
51
The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C)
1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will
the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for
any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this
software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software;
you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper
Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own.
Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce
Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring
Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998,
1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner.
Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001,
2002 John Ellson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson (ellson@graphviz.org). Portions
relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997,
1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the
file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van
den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial
application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of
the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If
you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible
documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but
not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying
documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and
Hutchison Avenue Software Corporation for their prior contributions.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You
may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
The curl license
COPYRIGHT AND PERMISSION NOTICE
Copyright (c) 1996 - 2004, Daniel Stenberg, <daniel@haxx.se>.All rights reserved.
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright
notice and this permission notice appear in all copies.
52
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF
THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use
or other dealings in this Software without prior written authorization of the copyright holder.
The PHP License, version 3.0
Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For
written permission, please contact group@php.net.
4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission
from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it
"PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing
version number. Once covered code has been published under a particular version of the license, you may always continue to use it
under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the
license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code
created under this License.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes PHP, freely available from <http://www.php.net/>".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM `ÀS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be
contacted via Email at group@php.net.
For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend
Engine, freely available at <http://www.zend.com>.
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Copyright (c) 2003, Itai Tzur <itzur@actcom.co.il>
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions
are met:
Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Neither the name of Itai Tzur nor the names of other contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
Chapter 53
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to
the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of
the Software.
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved.
Confidential Copyright Notice
Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted,
republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is
granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you
do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise
stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any
unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and
publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are
breached. Upon termination, any downloaded and printed materials must be immediately destroyed.
Trademark Notice
The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered
Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be
Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or
otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual
property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity
pertaining to distribution of, or access to, materials in
this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless
establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be
referred to NextHop at U.S. +1 734 222 1600.
U.S. Government Restricted Rights
The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the
U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The
Government's rights to use, modify, reproduce, release, perform, display or disclose are
restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware
Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in
Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial
Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).
Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of
the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use,
duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations.
54
Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty
THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED.
TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER
PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS
REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE
RESPECTING, THE MATERIAL IN THIS DOCUMENT.
Limitation of Liability
UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE
INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED
FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR
EXCLUSION MAY NOT FULLY APPLY TO YOU.
Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.
BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))
Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release
PCRE LICENCE
PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5
language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE,
supplied in the "doc" directory, is distributed under the same terms as the software itself.
Written by: Philip Hazel <ph10@cam.ac.uk>
University of Cambridge Computing Service, Cambridge, England. Phone:
+44 1223 334714.
Copyright (c) 1997-2004 University of Cambridge All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions
are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
Chapter 55
56
Index
A agent 17
changing 17
sam_table_get_ncols 40, 41
sam_table_get_nrows 40
proxy 17 sam_table_iterator_create 41, 42
Acquiring Data about Monitoring Gateways 15 sam_table_iterator_destroy 42
Connections 16
action requests 21
agent mode 17
alerting 22 O T
opsec_destroy_entity 20 threads 23
opsec_env_destroy 20
D opsec_init 20
opsec_init_entity 20, 21
definition opsec_mainloop 20
SAM 15
Denial of Service attack 26
P
E proxy mode 17
Event Handling Overview 21
R
F requests for action 21
Requests for Monitoring Active
filters 9, 22, 26 Commands 22
Functions managing monitoring
table 23
fw_allow_remote_requests 18
fwopsec.conf 18 S
SAM Client Application
Structure 20
L sam.h 30
SAM_ACK event 21, 44
LEA (Log Export API) SAM_ACK_HANDLER event 21
Specification 17 sam_client_action 22, 30
logging 22 SAM_INFO_ACK event 21
SAM_INFO_ACK_HANDLER
event 21
M sam_new_session 20, 30
SAM_RETRIEVE_INFO_ACK
mode event 47
June 2006 57
58

Check Point™ SAM (Suspicious Activities Monitoring) API Specification

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Check Point™ SAM (Suspicious Activities Monitoring) API Specification

Загружено:

Авторское право:

Доступные форматы

OPSEC

Check Point™ SAM (Suspicious

RESTRICTED RIGHTS LEGEND:

©2003-2006 Check Point Software Technologies Ltd. All rights reserved.

Preface Who Should Use This Guide................................................................................ 8

Chapter 2 API Functions

Who Should Use This Guide page 8

Who Should Use This Guide

What Typographic Variations Mean

TABLE P-1 Typographic Conventions

Typeface or Symbol Meaning Example

TABLE P-1 Typographic Conventions(continued)

Typeface or Symbol Meaning Example

Some Common Models

Figure 1-1 SAM Programming Mode

Acquiring Data about Connections

Figure 1-2 Combined LEA-SAM Programming Model

SAM Server as Proxy

Figure 1-3 SAM Server as Proxy

VPN/FireWall SAM proxy

A SAM Server that is located on a SmartCenter Server always functions in proxy

Setting up a SAM Server that is not located on a Management as a Proxy:

SAM Log File

Defining a SAM Client

Client Server Configuration

SAM API Overview

SAM Client Application Structure

initialize OPSEC environment

initialize SAM Server entity

initialize SAM Client entity

start the OPSEC session

start the main loop

Event main Event

free the SAM Server entity

free the SAM Client entity

free the OPSEC environment

Table 1-1 opsec_init_entity - SAM entity_type values

value type meaning

For more information on opsec_init_entity, see Chapter 2 of the Check Point

Requests for Action

Table 1-2 API functions managing action requests

function name See...

Requests for Monitoring SAM Actions

Table 1-3 API functions managing monitoring requests

function name See...

The results of the monitoring are placed in the SAM Table in

Table 1-4 Functions managing monitoring table

function name See...

Table 2-1 Basic filters

Table 2-1 Basic filters

Chapter 2 API Functions 27

Table 2-2 Filters with subnet masks

Table 2-2 Filters with subnet masks

Chapter 2 API Functions 29

Table 2-3 sam_new_session arguments

Table 2-4 sam_client_action arguments

Chapter 2 API Functions 31

Table 2-4 sam_client_action arguments(continued)

Table 2-4 sam_client_action arguments(continued)

Chapter 2 API Functions 33

Table 2-4 sam_client_action arguments(continued)

Chapter 2 API Functions 35

Table 2-5 sam_client_monitor arguments